Site Search

Black Duck Software

Black Duck Software

Black Duck - Software Composition Analysis (SCA) Tool for OSS and SBOM Management

What is Black Duck SCA?

As the use of OSS grows at a rapid pace, license management and vulnerability response have become key challenges for enterprises. Black Duck SCA is a comprehensive solution for managing the security, license compliance, and code quality risks that arise when using open source in any software artifact or library, including applications and containers. As the leader in software composition analysis (SCA), Black Duck maximizes visibility into third-party dependencies, enabling you to manage the risks posed by your software supply chain.

Functions and Features

  • OSS vulnerability management
    By cataloging over 8.1 million unique open source projects, Black Duck quickly identifies OSS vulnerabilities and license risks, helping you stay ahead of the latest threats and risks.
  • Enhancing License Compliance
    Accurately assess the license risks associated with OSS usage and avoid potential license compliance violations. Minimize legal risks by dealing with complex license conditions.
  • SBOM (Software Bill of Materials) Output
    The list of OSS components identified by the scan can be output in formats such as SPDX/CycloneDX, and third-party SBOMs can be used to automatically map dependencies to known components and create new components to match dependencies of custom or commercial components.
  • Prioritizing Security Risks
    You can set your own open source security and usage policies based on a variety of criteria, including license type, vulnerability severity, and open source component versions. These policies can be enforced through automated workflow triggers, notifications, and bidirectional integration with Jira or Azure to accelerate initiation and reporting of remediation efforts. Policies can be used to prevent development teams from using risky components and stop builds if such components make it into a release stream. We also assess the risks associated with all identified dependencies and help you prioritize remediation.
    Vulnerability monitoring and alerts: Notify when new OSS vulnerabilities are found. You can also use the filtering function to set thresholds for the vulnerabilities you want to check.
  • OSS license monitoring and alerts
    It accurately identifies the licenses used by your application's dependencies, including explicitly declared licenses, sublicenses, and embedded licenses, extracts the requirements and restrictions associated with each license, and displays them clearly along with the full license text and copyright information. It can also automatically generate Notice files, which are required by almost all open source licenses.

Deployment configuration

  • Black Duck Detect (Desktop)
    It provides an interface for connecting to a Black Duck server and running scans of source directories, binaries and executables, Docker images and distributions, and more.
  • Black Duck Server
    A list of components identified as a result of the scan, along with vulnerabilities and license risks for each component, can be displayed in the browser.
  • KB (Knowledge Base)
    This is a database managed by Black Duck Software for obtaining analytics, and the instance resides in a Black Duck Software data center.

system requirements

OS Support
  • Red Hat Enterprise Linux Server 8.9 and 9.x
  • Ubuntu 20.04.x
  • SUSE Linux Enterprise Server version 12.x (64-bit)
  • Oracle Enterprise Linux 7.9
database PostgreSQL (recommended)
Minimum hardware requirements 120 scans per hour
Minimum hardware requirements (for 120 scans per hour)
  • CPU: 15 cores
  • Memory: 72GB
  • Disk space: Minimum 250GB free space (increases depending on the amount of scanned data)
Network Requirements
  • Access port to the Black Duck server
  • Port 443: Access to Black Duck server (browser)
  • Port 55436: Report DB access port
  • Access to the Internet from the Black Duck server (https)

*However, this may differ depending on the Black Duck SCA version, operating environment, scan target, etc.

FAQ

What OSS projects does Black Duck support?

By cataloging over 8.1 million unique open source projects, we provide a high degree of match to the components that make up your software, including modified code and open source code snippets.

How can I integrate Black Duck into my development process?

It seamlessly integrates with Cl/CD tools and source code control systems (Git, Jenkins, etc.) to perform real-time scans at every phase of development.

How fast is Black Duck's scanning speed?

Depending on the size and complexity of the software, a typical project can be scanned in a matter of minutes to a few hours, and there are options available to optimize scan times.

How is SBOM generated?

Black Duck can output a software bill of materials (SBOM) via the SBOM report, with the option to output in SPDX/CycloneDX or other formats.